Tag Archives: regulations

There are many ways to make up something sensationalist in the media. One of the practical ways is to speculate and create conspiracy theories. Unfortunately, there’s a demand for such stories and they have a very good chance of making a splash.

So how can a global company with Russian roots play a part in a conspiracy theory? Well, this one is easy: there should be some devilish inner job of the Russian secret services (to produce the “I knew it!” effect). In many cases you can change the adjective “Russian” for any other to produce a similar effect. It’s a simple yet effective hands-on recipe for a sensationalist article. Exploiting paranoia is always a great tool for increasing readership.

There are questions we’ve answered a million times: what are our links with the KGB? Why do you expose cyber-campaigns by Western intelligence services? When do you plan to hire Edward Snowden? And other ones of the ‘have you stopped beating your wife?’ kind.

We’re a transparent company, so we’ve got detailed answers ready. Of course we want to dispel any speculation about our participation in any conspiracy. We’ve nothing to hide: we’re in the security business and to be successful in it you have to be open to scrutiny.

To my great regret, there are occasions when journalists publish something sensationalist without taking account obvious and/or easily obtainable facts contrary to their sensationalist claims, and produce stories that are at odds with professional ethics. And sometimes a bad tabloid journalism style finds its way into otherwise quality media publications. I’d like to comment on one such case.

The fashionable fever of looking for Kremlin-linked conspiracies this week reached some journalists at Bloomberg. Curiously, this happened not long after our investigation into the Equation Group.

It’s been a long time since I read an article so inaccurate from the get-go – literally from the title and the article’s subheading. So it came as little surprise that a large part of the rest of the article is simply false. Speculations, assumptions and unfair conclusions based on incorrect facts. In their pursuit for a sensation, the journalists turned things upside down and ignored some blatantly obvious facts.

My congratulations to the authors: they’ve scored high in bad journalism.

But that’s where the emotion stops today. Now let’s just look at the cold facts – rather, lack of them. Let me go through some of the most outrageous and twisted gaffes.

I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose. There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there’s no way we can put it back.

The only other statement that can compete with this one in terms of frequency, silliness and falsity is: ‘AV companies write the virus themselves’.

Let me spell it out and use a few capitals: I’ve NEVER worked for the KGB.

My detailed biography has been widely distributed around the world and can be easily found online. It clearly states (I wonder if the journalists read it) that I studied mathematics at a school sponsored by they Ministry of Atomic Energy, the Ministry of Defense, the Soviet Space Agency and the KGB. After graduating, I worked for the Ministry of Defense as a software engineer for several years. But whatever… as they say, ‘never let the facts get in the way of a good story’. Right?

UPDATE:

Looks like the Bloomberg journos behind the story read my post (but not in detail; otherwise they’d have taken the article down) and made a minor edit to their text. Now, I never worked for KGB but for … Russian military intelligence!

For the record: I never worked for Russian military intelligence. As I mentioned above, I worked as a software engineer at the Ministry of Defense.

Bloomberg spots that Kaspersky is Russian, fails to point out nationality of FireEye, MFE, SYMC, In-Q-Tel etc. etc.http://t.co/H0w74rbCS4

Is there an implication here that the ‘quickly removed by headquarters’ was to cover up some secret truth – before it got out? Maybe not. But if you do see a possible one, let me tell you what happened:

the design of the our antivirus software box with the KGB mention was developed by our Japanese partners. I learned about it only after it was printed, and asked to have it changed as it just wasn’t true, which was done.

And if there’s a further implication that the mention was removed because we were going global and recruiting ‘senior managers in the U.S. and Europe’ (with whom KGB mentions might not sit well), well then that’s not right either. We were already global. Our American, European and Asian employees (who now make up more than a third of total company’s headcount) had no say in it. Even if they did – so what? Bottom line – I never served in the KGB!

Just nonsense!

First, people join and leave organizations all the time. Second, we value only professional qualities in our people. Third, there’s no evidence of ‘closer’ – not even close – ties to Russia’s military or intelligence services. Must say though, I’d be really interested to find out who’s joined our top management team since 2012 who has ‘closer ties to Russia’s military or intelligence services’. I’m dying of curiosity!

I do appreciate this interest in my recreational-prophylactic habits. While the reader may visualize naked male bodies in a steam room and dicussions of conspirational plans to conquer the world, the truth of the matter is quite something else. It highlights another way in which the journalists ignored our emailed comments to them to sacrifice objectivity for quirky details and stereotypes.

First, sometimes I do go to the banya (sauna) with my colleagues. It’s not impossible that there might be Russian intelligence officials visiting the same building simultaneously with me, but I don’t know them.

Second, we do fight cybercrime. And without cooperating with law enforcement agencies around the globe (including in the U.S., the UK, Japan, other European countries; INTERPOL and Europol) our battle would have been significantly less effective than it has been recreational – if not completely futile.

Official meetings sometimes do turn pretty informal, including with officers belonging to the security services of the U.S., the UK, Japan, other European countries; INTERPOL and Europol (oops, I’m repeating myself). And I consider the stories about my possible encounters with security officials in a banya an attempt to deliberately mislead readers; the journalists don’t mention that we are impartial in our fight against cybercrime, no matter where it strikes. A warning, dear readers: don’t believe everything you read!

‘Gotcha, we’ve caught you! You investigate only US operations and not Russian!’

Well, this one’s real simple. FireEye did some great research, so publishing our own after theirs made no sense. We carefully read the FireEye report, warned our users and… kept on researching the Sofacy operation. BTW, our experts are still working on it, as it’s closely connected to the MiniDuke operation. But please don’t ask why FireEye didn’t announce MiniDuke! You know the answer (hint: who was the first to uncover it?).

We’ve launched an internal investigation, carefully examined all our archives for the last three years, and haven’t found such an email. Those who know Garry personally know he’s not the kind of man to write such things.

Does two-year compulsory military service of 18-year old private Chekunov equal working for the KGB? Really? Dear authors, why did you miss the detail where, in the USSR, military service was obligatory for all males, and it was random which particular service you served in? Some entered the infantry, others the submarine division of the navy. Mr. Chekunov served in the Soviet Union’s Border Service for two years, and at that time the service reported to the KGB.

Oh those Russians banya nights. The nerve center of all secret operations’ planning!

Actually, here, thanks are due to the authors for the PR! Our Computer Incidents Investigation Unit (CIIU) helps our clients deal with sophisticated cyber-incidents. If law enforcement agencies contact us, we help – regardless of their country. We assist with our world-class expertise any law enforcement agency to save the world from any cyber-evil.

The Computer Incidents Investigation Unit (CIIU) has remote access to the personal data of our users? That is a false statement.

Next: the keyword here is ‘can’. Theoretically, any security vendor can do that. Following this logic you can imagine what nasty things Facebook, Google or Microsoft can theoretically do. Theoretically, authors of an article can stick to facts.

The reality, however, is that I’ve no reason to risk my 700mln$ business. Everything we do and can do is stated in the End-User License Agreement (EULA). Moreover, we reveal our source code to large customers and governments. If you have any fears about backdoors – come and check. Seriously. Referring to a theory is an allegation unworthy of a respectable publication.

This part explains a lot. Some folks who get fired have a chip on their shoulder. Human nature. It’s common. They have some media contacts – they fancy getting their ‘revenge’. Same old!

I am just worried about how respected media put their reputation on the line based on speculation. As a result we have a perfect example of a sensationalist headline:

Bloomberg's Management Committee includes US citizens only. Does it mean Bloomberg has close ties to US spies? http://t.co/3AAuMPg90e

Our Chief Legal Officer served in the Border Control when he was 18 and at that time the service was a part of the KGB.

Mysterious covert data which proves I’m a KGB spy?! This world-famous news agency undertook a huge investigation – believe me, it was impressive! During the fact checking they asked very detailed, probing questions, yet all they came up with were… unproved allegations. Do you know why?

Because there’s nothing there to find.

It’s very hard for a company with Russian roots to become successful in the U.S., European and other markets. Nobody trusts us – by default. Our only strategy is to be 1000% transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us – and failed. Because we’ve nothing to hide.

Actually, I’d like to thank Bloomberg and all the journalists behind this story! Much like our antivirus often does, they performed a full system scan –and found nothing. It’s like a halal or kosher stamp – check! External audit successfully passed.

‘The hardest thing of all is to find a black cat in a dark room, especially if there’s no cat.”

.@e_kaspersky responds to Bloomberg’s allegations in connection with Russian LETweet

True to my word, herewith, the second installment of my new weekly (or so) series, ‘dark news from the cyber-side’, or something like that…

Today the main topic will be about the security of critical infrastructure; in particular, about the problems and dangers to be on the watch for regarding it. Things like attacks on manufacturing &nuclear installations, transportation, power grid and other industrial control systems (ICS).

Actually, it’s not quite ‘news’ here, just kinda news – from last week: fortunately critical infrastructure security issues don’t crop up on a weekly basis – at least, not the really juicy bits worthy of a mention. But then, the reason for that is that probably that most issues are kept secret (understandable, but worrying all the same) or simply no one is aware of them (attacks can be carried out on the quiet – even more worrying).

So, below, a collection of curious facts to demonstrate the current situation and trends as regards critical infrastructure security issues, and pointers to what needs to be done in face of the corresponding threats.

Turns out there are plenty of reasons to be bowled over by critical infrastructure issues…

If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day

The motto of engineers who make and install ICS is ‘ensure stable, constant operation, and leave the heck alone!’ So if a vulnerability in the controller is found through which a hacker can seize control of the system, or the system is connected to the Internet, or the password is actually, really, seriously… 12345678 – they don’t care! They only care about the system still running constantly and smoothly and at the same temperature!

After all, patching or some other interference can and does cause systems to stop working for a time, and this is just anathema to ICS engineers. Yep, that’s still today just the way it is with critical infrastructure – no seeing the gray between the black and the white. Or is it having heads firmly stuck in the sand?

In September last year we set up a honeypot, which we connected to the Internet and pretended was an industrial system on duty. The result? In one month it was successfully breached 422 times, and several times the cyber-baddies got as far as the Programmable Logical Controllers (PLC) inside, with one bright spark even reprogramming them (like Stuxnet). What our honeypot experiment showed was that if ICS is connected to the Internet, that comes with an almost 100% guarantee of its being hacked on the first day. And what can be done with hacked ICS… yes, it’s fairly OMG. Like a Hollywood action movie script. And ICS comes in many different shapes and sizes. For example, the following:

The Internet and mobile devices and related gadgetry have brought so much incredibly useful stuff into our lives that sometimes it’s hard to imagine how on earth anyone managed without it before. You know, purchasing airline tickets and checking in, online shopping and banking, multi-device data sharing, keeping the kids occupied on the backseat of the car with a film on their tablets (in my youth you just sat there or played I Spy). But I digress, and so early on in this post…

Alas, along with all the good and helpful stuff to make life easier, the Internet’s brought us other stuff – bad stuff that’s harmful and dangerous. Malware, spam, hard-to-trace cybercrims, cyberweapons, etc., etc. There’s also Internet fraud, which is what I’ll be writing about in this post, or – more to the point – how to combat it.

But let’s start with the basics: who suffers from Internet fraud?

Consumers? Well, yes, but not much compared with businesses: the brunt of the cost of online fraud is taken by banks, retailers, and in fact any online operators.

Prevention is better than cure. And that goes for fighting patent trolls too.

With this old adage in mind we recently filed a lawsuit against Device Security LLC seeking invalidation and non-infringement of the patent covering the tech involved in protecting data on mobile devices. This marks a distinct change of tactics on our behalf: Though we’ve been warring with patent parasites for eight years already, this is the first time we’ve gone for a preventative attack.

The euphoria after our recent single-handed victory over a patent troll has died down – a little. It was real nice to read lots of different accounts of the good news (like this, this, this, this and this) and multiple encouraging comments from users. However, the real struggle has only just begun – ahead lies a lot of hard work and hassle, albeit interesting hassle. So now’s probably a good time to sum up everything.

Payback can be slow – painfully slow – in coming, but thankfully, at last, it does seem to be showing signs of finally arriving and hitting some most unsavory types – patent trolls – squarely in the nether regions.

I’ve already waxed lyrical here about trolls and what needs to be done to up the fight in tackling this scourge.

Here, let me give you a quick review of what needs to be done:

Patent use to be limited – a ban on claims for a term preceding their acquisition;

Mandatory compensation of a defendant’s expenses if a lawsuit against it is either defeated in court or withdrawn;

A ban on patent aggregators bringing lawsuits;

An increase in the required detail and accuracy of patent descriptions, and mandatory technical expert examinations;

The main thing: not for ideas to be patented, but their concrete practical application.

Sometimes it seems like US legislators read my blog! Finally, something is getting done – and not just anywhere, but in the state of Vermont, where the first anti-troll law has come into effect!

There’s a lot of interesting stuff in this law, but what I like most in it is that now a defendant company can demand from a patent troll reimbursement of all its legal costs if it manages to prove that the troll acted not in good faith.

“Patents against innovation”. Sounds as paradoxical as “bees against honey”, “hamburger patties against buns”, “students against sex” or “rock ‘n’ roll against drugs”.

Patents against innovation? How can that be possible? Patents exist to protect inventors’ rights, to provide a return on R&D investment, and generally to stimulate technological progress. Well, maybe it’s like that for some things, but in today’s software world – no way.

Today’s patent law regarding software is…well, it’s a bit like one of those circus mirrors where reality is distorted. Patent law is now just so far removed from common sense that it’s patently absurd; the whole system right down to its roots needs to be overhauled. ASAP! Otherwise innovative patents meant to encourage and protect will simply fail to materialize. (Good job, patent system. Stellar work.)

So how did everything end up so messed up?

Well, despite the virtuous original intention of patents to protect inventors – today they’ve mainly turned into nothing more than an extortion tool, whose objective is just the opposite of protecting innovation. The contemporary patent business is a technological racket – a cross-breed between… a thieving magpie and a kleptomaniac monkey – with a malicious instinct to drag anything of value back to its lair.

Growth in the number of patent lawsuits with the participation of “trolls“

A serious issue I’ve been critically writing and talking about for several years now has finally made its way up through the echelons of power to find itself being officially recognized – and condemned – by no less than the President of the USA! Indeed, the day before President’s Day Barack Obama issued a strong rebuke against patent trolls! When asked to comment on the current situation as regards the protection of intellectual property and abuses of patents, he came out with the following gem:

“The folks that you’re talking about [patent trolls] are a classic example; they don’t actually produce anything themselves. They’re just trying to essentially leverage and hijack somebody else’s idea and see if they can extort some money out of them.”

Ye gods. At last some sense from the top! He went on to say that patent trolls (not the term he used!) represent one of the main things very wrong with the current American patent system. Then he commented on his administration’s attempts at patent reform:

“I do think that our efforts at patent reform only went about halfway to where we need to go, and what we need to do is pull together additional stakeholders and see if we can build some additional consensus on smarter patent laws.”

You can read a bit more on Obama’s comments here, or check this video out – from the 16th minute:

On Tuesday, President Obama issued a long awaited Executive Order on cyber security intended to expand and deliver more robust information sharing between government and the private sector. The Executive Order also requires the development of a voluntary cyber framework and standards to improve protection of the U.S. critical infrastructure. The Executive Order rightly focuses on a risk-based approach. Resources are limited and prioritization to secure those areas most at risk is smart policy. The sophistication of threats and targeted attacks on key economic sectors around the world stresses the urgency that action be taken to better secure critical infrastructure. This effort by President Obama is a positive step to address a real gap in the protection of critical assets necessary to the well being of the United States.

The risk to critical infrastructures is real, and an international challenge that must be addressed by governments and the private sector together. As we see more threats to the national and economic security of countries, action must be taken to better protect those critical national infrastructures. Attacks like Stuxnet, Flame, Gauss and Shamoon are becoming commonplace and keep growing in sophistication.

I believe this executive order is a move in the right direction as it seeks to increase digital defenses of critical infrastructure, and tries to facilitate the exchange of threat information between the government and private sector. Better cooperation between governments around the world and their private sectors to improve sharing of timely and relevant cyber threat information is essential. Likewise, operators of the critical infrastructures must work to implement flexible performance based standards to secure their assets.

We are at a critical juncture on cyber security protection, and leadership in the U.S. and around the world is essential. We hope that other nations and unions will follow this example and take steps to better protect their national critical infrastructures.

We’re ready to support and assist in national and international cyber defense efforts with our research, technologies and people.

I recently found myself wondering how many interviews with the press I do every month. Of course the totals fairly helter skelter between months, but in the busier periods the number can get anywhere up to 70! And that’s only spoken interviews, i.e., those done in person or over the phone. If I were to also include e-mail interviews – the number would be just silly.

But I don’t complain. In fact just the opposite – I love interviews! Which reminds me of Richard Branson and his simple rule about interviews: “If CNN rings me up and wants to do an interview with me, I’ll drop everything to do it.” I also follow this rule – to the letter – and not without good reason.

Most interviews are what you’d expect. I get asked lots of questions, I answer them as best I can, and that’s about it.

But in a very few rare instances I get interviewed by a really well read-up journalist, meticulous to the point of hair-splitting, who not only knows all about me and KL and what we do, but also all about the particular narrow topic the interview’s about. By the end of the allotted hour I’m exhausted, the mind’s pretty much frazzled, and I feel like my very soul’s been extracted together with my long-winded answers to the sophisticated questions.

These are the trickiest and most trying kinds of interviews, but also the most useful. Why? Because during such intense sessions the gray matter inside the skull shifts up a gear or three and really gets to work, thinking in new ways and approaching familiar topics from fresh standpoints – to such an extent that after the end of the interview the momentum keeps the ideas coming, leading to all sorts of new insights. All really quite fascinating how creative cognition comes about. And all kicked-off by super-sharp reporters doing their job masterfully. Respect due. And a thank you!

Curiously, what unites such “special” interviews with regular ones is an inevitable question about the most pressing IT Security issues today – something like: “What keeps you up at night (in terms of IT Security hazards)?”! And I don’t get asked this all the time just by journalists in interviews. The question pops up at practically every IT conference I speak at.

And so: as promised earlier, here I’m presenting my List of the Five Main Issues Facing IT Security, in the broad sense of the term.

I should say straight away that I don’t have prescriptions for solving all five issues. The aim of this post is more to identify the problems, let you start to muse on them, and hopefully draw you into the fold of their ongoing discussion by raising your interest, empathy and/or sympathy!